Internet Explorer Used to Exploit Windows MHTML Vulnerability

A vulnerability in the way Internet Explorer parses MHTML content—a method for combining multiple file types and HTML content into a single file—is now targeting users as part of a “drive-by” browser attack.

[]()

It’s called that due to the process by which attackers exploit the loophole: They’ll create a malicious website, lure a user in, and then force the user’s browser to run Javascript code. This code can access information from a user’s browser or, worse, entice a user to install additional code that opens up his or her system to additional hacks.

“The end result of this type of vulnerability is script encoded within the link executed in the context of the target document or target web site,” write [Dave Ross and Chengyun Chu](http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx) in Microsoft’s Security Research & Defense blog.

The MHTML exploit was originally published on a website called WooYun, and Microsoft acknowledged the issue in [a January security advisory](http://www.microsoft.com/technet/security/advisory/2501696.mspx). A recent update to the advisory by Microsoft—later verified by Google—indicates that the exploit is now being put to use.

“We’ve noticed some highly targeted and apparently politically motivated attacks against our users,” writes members of the Google Security Team in [a blog post](http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html). “We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site.”

Neither Google nor Microsoft went into any additional detail as to the exact kinds of users the exploit has targeted. Microsoft has itself released a “Fix It” solution to combat the issue, but there’s been no timeline set for a full-fledged patch to the browser.

According to Qualys’ Wolfgang Kandek, the attack only works against those running Internet Explorer—and Microsoft has verified that statement by noting that the attack actually works due to a specific Windows vulnerability, making one’s version of Internet Explorer irrelevant as part of a fix. However, a quick fix beyond the downloadable “Fix It” pack is to switch over to an alternate browser for the time being—Chrome or Firefox to name a few.

“Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules,” [Kandek writes](http://laws.qualys.com/2011/01/microsoft-advisory-on-client-s.html).

Microsoft itself has previously posted [a test scenario](http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx) that users can run to determine whether their browsers support the MHTML vulnerability. All that one needs is access to a web server in order to upload a single .MHT test file. For unprotected browsers, accessing the file will result in a little pop-up box that says, “hello,” whereas protected versions of Internet Explorer will instead receive a notification that the site is trying to “communicate with your computer” in a method disallowed by one’s security settings.